CircleCI, the leading continuous integration and continuous delivery (CI/CD) platform, today announced a new suite of platform capabilities and integrations.
Today, software teams are building at greater velocity while relying on a variety of dependent software. And with the interconnectedness of modern businesses, coupled with the increasing rate of change in the software ecosystem, it’s hard for these teams to release code with the utmost confidence. This underscores the need for practices such as CI/CD, which has become the lynchpin of the software development pipeline.
Which is why today, CircleCI released several new security and compliance capabilities to aid developers to trust and maintain the stability of their software.
“As the complexities of software development increases, there is a pertinent need for developer teams to more seamlessly integrate the latest and most advanced security features available,” said Jim Rose, CEO of CircleCI. “We are continuously evolving our security standards and introducing features that improve the security of our customers’ build pipelines and their ability to smartly manage risk.”
“Large-scale enterprise teams can find adopting and scaling widespread best practices in software delivery across teams, departments, and geographies challenging,” said Jim Mercer, Research Vice President of DevOps and DevSecOps IDC. “With these new capabilities, CircleCI provides a practical approach to managing current and future software delivery security requirements.”
CircleCI’s platform additions include:
Flexible compliance with Config Policies
Also Read: Critical Cybersecurity Crime Developments to Focus on in 2023
It can be difficult for engineering teams to manage and enforce organization-wide conventions and adherence to software delivery policy. To provide customers an additional layer of control and compliance, CircleCI utilized Open Policy Agent, an industry standard policy engine, to create Config Policies, which offers the most flexible approach to organizational governance on the market today. Through self-serve configuration as code, they simultaneously allow for flexibility and individual team empowerment while also enabling greater organizational alignment.
CircleCI’s policy enforcement allows organizations to quickly apply common rules like orb allowances, or write deeply customized rules enforcing access to credentials, resources, and functions. Customers have the ability to enforce a multitude of company policy use cases spanning from cost-control to compliance. Such use cases include:
- Force security related jobs to run in pipelines
- Control how contexts are or are not being used
- Control use of docker containers and executors
- Allow and disallow specific orbs or versions
“Development teams desire autonomy in selecting the tools that work best for them, while at the same time security and compliance teams are interested in governance of the overall estate. Both groups are crucial to successful creation of software. Helping engineering teams to standardize their processes across their projects and across different teams is imperative for effective collaboration. By releasing features like Config Policies, CircleCI is working to provide choice with guardrails and enable speed and quality across development organizations,” said Rachel Stephens of RedMonk.
Server 4.1 with AirGap support
This release includes AirGap support. With this latest release, CircleCI’s server can now be installed on an isolated network and provide core functionality without access to an internet connection.
CircleCI server 4.1 is designed to meet the strictest security, compliance, and regulatory requirements. This self-hosted solution offers the ability to scale under load and run multiple services at once, all within a team’s Kubernetes cluster and network with the full CircleCI cloud experience.
Also Read: Effective Network Segmentation Practices in Cybersecurity
More granular secret enhancements
Integrations with OpenID Connect ID (OIDC) remove the need for customers to store long lived secrets (passwords, api keys, etc) in the CircleCI system. It provides a short lived token which can be used to access a system that supports OIDC and allows you to assign CircleCI as a trusted actor. OIDC support was recently enhanced to include granular control of CircleCI’s access in customer’s 3rd party tools like AWS.
Other secret enhancements include:
- Project restricted contexts that allow an organization to limit contexts to a specific set of projects.
- An updated Context UI that includes a “created at” and “updated” at timestamp. This allows customers to quickly assert the status of long lived secrets.
- A script for secret finding in order to create an actionable list for secrets rotation.
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.
